5
Fix a heap overflow in loadpgrd.cpp
source link: https://gitlab.com/OpenMW/openmw/-/merge_requests/784
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Fix a heap overflow in loadpgrd.cpp
==781106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000055c0 at pc 0x0000008245a2 bp 0x7fffddc0fbb0 sp 0x7fffddc0fba8
READ of size 4 at 0x6040000055c0 thread T0
#0 0x8245a1 in ESM::Pathgrid::load(ESM::ESMReader&, bool&) /home/jvoisin/dev/openmw/openmw/components/esm/loadpgrd.cpp:106:44
#1 0x51126a in load(Arguments&) /home/jvoisin/dev/openmw/openmw/apps/esmtool/esmtool.cpp:389:21
#2 0x50aa40 in main /home/jvoisin/dev/openmw/openmw/apps/esmtool/esmtool.cpp:216:20
#3 0x7f436666ecb1 in __libc_start_main csu/../csu/libc-start.c:314:16
#4 0x44834d in _start (/home/jvoisin/dev/openmw/openmw/build_fuzz_asan_master/esmtool+0x44834d)
0x6040000055c0 is located 0 bytes to the right of 48-byte region [0x604000005590,0x6040000055c0)
allocated by thread T0 here:
#0 0x4f205d in operator new(unsigned long) (/home/jvoisin/dev/openmw/openmw/build_fuzz_asan_master/esmtool+0x4f205d)
#1 0x821971 in __gnu_cxx::new_allocator<int>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/ext/new_allocator.h:115:27
#2 0x821971 in std::allocator_traits<std::allocator<int> >::allocate(std::allocator<int>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/alloc_traits.h:460:20
#3 0x821971 in std::_Vector_base<int, std::allocator<int> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:346:20
#4 0x821971 in std::vector<int, std::allocator<int> >::reserve(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc:78:22
#5 0x821971 in ESM::Pathgrid::load(ESM::ESMReader&, bool&) /home/jvoisin/dev/openmw/openmw/components/esm/loadpgrd.cpp:89:40
#6 0x51126a in load(Arguments&) /home/jvoisin/dev/openmw/openmw/apps/esmtool/esmtool.cpp:389:21
#7 0x50aa40 in main /home/jvoisin/dev/openmw/openmw/apps/esmtool/esmtool.cpp:216:20
#8 0x7f436666ecb1 in __libc_start_main csu/../csu/libc-start.c:314:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jvoisin/dev/openmw/openmw/components/esm/loadpgrd.cpp:106:44 in ESM::Pathgrid::load(ESM::ESMReader&, bool&)
Shadow bytes around the buggy address:
0x0c087fff8a60: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff8a70: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
0x0c087fff8a80: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff8a90: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c087fff8aa0: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
=>0x0c087fff8ab0: fa fa 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x0c087fff8ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==781106==ABORTINGRecommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK